Allow/Block guest access to Office 365 groups

Sadržaj članka

You can allow or block guest users who are using a specific domain. For example, let's say your business (Contoso) has a partnership with another business (Fabrikam). You can add Fabrikam to your Allow list so your users can add those guests to their groups.

Or, let's say you want to block personal email address domains. You can set up a Block list that contains domains like Gmail.com and Outlook.com.

Important information about how block lists work

You can create either an Allow list or Block list. But you can't set up both types of lists. By default, whatever domains are not in an Allow list are on a Block list, and vice versa.

You can create only one policy per organization. You can update that policy with more domains, or you can delete that policy to create a new one.

This list works independently from SPO allow/block list. You would need to set-up Allow/Block list for SPO if you want to restrict individual file sharing of Group connected site.

This list doesn't apply to already added guest members, this will be enforced for all the guests added after the list is set-up. However, you can remove them through the script.

Install the preview version of the Azure Active Directory Module for Windows PowerShell

IMPORTANT: The procedures in this article require the PREVIEW version Azure Active Directory Module for Windows PowerShell, specifically, the AzureADPreview module version 2.0.0.98 or later.

Open Windows PowerShell as an administrator:

In your search bar, type Windows PowerShell.

Right-click on Windows PowerShell and select Run as Administrator.

The Windows PowerShell window will pop open. The prompt C:\Windows\system32 means you opened it as an administrator.

Run this command to see if you have any versions of the Azure Active Directory Module for Windows PowerShell installed on your computer:

Get-Module -ListAvailable AzureAD*

If no results are returned, run this command to install the latest version of the AzureADPreview module:

Install-Module AzureADPreview

If only the AzureAD module is shown in the results, run these commands to install the AzureADPreview module:

Uninstall-Module AzureAD

Install-Module AzureADPreview

If only the AzureADPreview module is shown in the results, but the version is less than 2.0.0.98, run these commands to update it:

Uninstall-Module AzureADPreview

Install-Module AzureADPreview

If both the AzureADandAzureADPreview modules are shown in the results, but the version of the AzureADPreview module is less than 2.0.0.98, run these commands to update it:

Uninstall-Module AzureAD

Uninstall-Module AzureADPreview

Install-Module AzureADPreview

Create a new Allow or Block list policy

Did you install the AzureADPreview module as instructioned above? Not having the preview version is the #1 reason these steps don't work for people.

Go to Script for Allow/Block policy at Microsoft Download Center to download the script ( Set-GuestAllowBlockDomainPolicy.ps1) for Allow/Block policy.

Migrate the existing allow/block policy from SharePoint Online

This list works independently from the SharePoint Online allow/block list. You would need to set up allow/block list for SharePoint Online if you want to restrict individual file sharing of Group connected site.

However, if your organization already has an allow/block list for SharePoint Online, you can migrate that list using this command.